Thursday, January 15, 2015

Proxy ARP

In today’s post I would like to look closer into one feature - proxy
arp. On Cisco routers it is enabled by default and I think it’s worth of
writing about possible pros and cons.
To be on the same page just few words about ARP (Address Resolution
Protocol). ARP is used to resolve IP addresses to MAC (physical). When
we want to send packet to a host with known IP address, we need first
know its MAC or MAC of a next hop. This is place where ARP start its
job. Let’s look into below diagram.

Assume that R1 has never contacted with R3 and I’m going to check its ARP table:

In case when we send packet to host behind a router, ARP resolve the
destination IP to the MAC address of the next hop (within the same
broadcast domain).

Let’s start with proxy ARP now. The general idea was to have ability
to connect to any host in different segment network (neighboring), you
don’t have a route for. Considering above diagram assume R2 doesn’t have
any routing towards R1 and we try to ping it.

What we have seen here, it is proxy ARP. Sometimes it can be useful
but in some cases very dangerous. You can need it for some hosts which
don’t accept subnets (only class full addressing) but I’m not sure if it
is still a problem nowadays. I’m more concern about this feature rather
than excited. Let’s check what is needed to turn it off.

You can disable the feature per interface or in the global settings,
depends on your needs. Of course you can leave it and use it. Definitely
you should turn it off on your edge (WAN) router. The important thing
is to understand how your current settings work and take own decision.